LastPass allows users to store all of their passwords in a secure locker so that they only have to remember one master password to view them all, helping people who find memorising long passwords hard. This only works for as long as the master password remains secure though, as Lifehacker explains in an informative guide to what happens if LastPass sees a major attack.
Writing on the LastPass blog, the company issued a security notice yesterday because of “suspicious activity” noted on its network on Friday. Although it says no encrypted user data was taken, email addresses, password reminders and authentication hashes were.
Users will be prompted via email to change their master passwords for their accounts. When logging in from a new device or IP address, users will also have to confirm the sign-in by clicking an emailed link.
LastPass says the activity was blocked and it is confident that the company’s encryption measures will have protected “the vast majority of users.” It says the stolen authentication hashes were protected with 100,000 rounds of hash encryption and a random salt so it should be hard for the attackers to decrypt them “with any significant speed.”
This is still a major incident though, and LastPass users should change their master password to ensure that their account is secure. LastPass is working with the authorities and security forensic experts to resolve the issues and says it is “dedicated to transparency and proactive measures to protect our users.”
LastPass advise users that although their master password should be changed, it is safe to wait until the company sends you a prompt to do so. The company’s servers are currently under very heavy load handling all the requests so the company is trying to coordinate the password changes so that it is done as quickly as possible.